The NSA wiretapped the cow and got the milk for free

Today three major news agencies, the New York Times, the Guardian, and ProPublic released details of the most intrusive NSA activity to-date.  The NSA and the GCHQ, the British version of the NSA, have “been looking for ways into protected traffic of popular Internet companies: Google, Yahoo, Facebook and Hotmail.”  Microsoft apparently handed over pre-encryption access to Outlook e-mail, Skype and SkyDrive.  Companies have also put back doors into hardware and software products at the request of the NSA.

The NSA and the companies who allowed the back doors have broken the public’s trust.  It’s time we take back the Internet.  As usual, the Electronic Frontier Foundation has an excellent summary on this issue and a list of actions you can take.  This is a two-pronged attack.  First, we should petition our elected officials, which is very easy to do from the EFF’s take action site.  Second, if the companies don’t stand up for their users, you can vote with your feet and leave their feudal system.  I don’t use Microsoft, Yahoo, or Facebook, but I do use Google and Apple.  While Google has claimed there are no back doors, Google is also asking permission from the Government to tell the public about what it does provide.  That sounds like a Kafka novel to me and I think I’m going looking for a new email provider.  Apple lost me when I had to ask permission to install applications.  In the writing of this post, I discovered something new about myself; I don’t like asking permission for things 🙂 .

But also we should step-up your defense. Bruce Schneier published a list of recommendations to maintain (some) control over privacy and security online.  Read the article for the details, but the short list is:

  • Hide in the network. (i.e. use Tor)
  • Encrypt your communications. (use HTTPS Everywhere)
  • Assume that while your computer can be compromised, it would take work and risk on the part of the NSA so it probably isn’t.
  • Be suspicious of commercial encryption software, especially from large vendors.
  • Try to use public-domain encryption that has to be compatible with other implementations.

For those looking for a more complete software list, check out PRISM Break.

Lastly, Bruce Schneier closed with this call-to-arms:

To the engineers, I say this: we built the internet, and some of us have helped to subvert it. Now, those of us who love liberty have to fix it.

A simple and inexpensive way to do accomplish this is to go buy a $45 Beaglebone Black and set it up as a Tor relay and help grow the Tor network.  You can follow my instructions to set this up and have a low-power, freedom protecting, Tor relay.

Of course, you can also join the EFF too or get the t-shirt that the NSA tried to censor, just for fun.

PostgreSQL Security

 

 

My first “in-person” class of my graduate program was a discussion on security of PostgreSQL given by Bruce Momjian.  Not surprisingly, PostgreSQL offers a full range of SSL support and a slew of encryption options.  As impressive as the options are, the challenge seems to me, in deciding what trade-offs make sense for a particular employment.

For example, if one chooses column level encryption, than that data is not only encrypted to malicious entities, but to friendly daemons like the statistics collector.  There are definitely some interesting systems engineering decisions that need to made when deciding what data is critical enough to be encrypted.

On the TLS side, I couldn’t help but to think of Adam Langely’s (Google Chrome TLS guy) talk from HOPE#9, which I unfortunately did not attend but fortunately, the audio is now posted!  Essentially, if the state of web SSL is as bad as he says it is, I wonder how many databases actually have SSL incorporated correctly?  Of course, security is a multi-pronged beast and SSL isn’t going to help you when somebody steals the hard-drive with your database on it.

Having taken classes only online, I took advantage of this antiquated medium (going to class in person is so 2011) and asked a lot of questions, probably much to the chagrin of my fellow students.  But, it was a nice change of pace and I can see why so many physical study groups have sprung up from the Coursera courses.